IPV6——地址分配+部分互联网络

第一部分:地址分配

验证理论

ICMPv6 RA消息中的Flags字段

 

ICMPv6 RA消息中IPv6前缀信息的Flags字段

 

 

 

实验拓扑

 

 

 

初始配置及初始结果

 

 

实验步骤

第一步:无状态自动配置获取地址

AR1:

[AR1]int g 0/0/0
[AR1-GigabitEthernet0/0/0]ipv6 enable
[AR1-GigabitEthernet0/0/0]ipv6 address auto global

AR2:

[AR2]ipv6
[AR2-GigabitEthernet0/0/0]ipv6 enable
[AR2-GigabitEthernet0/0/0]ipv6 address 2000:1::2/64
[AR2-GigabitEthernet0/0/0]undo ipv6 nd ra halt

验证:

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2000:1::2E0:FCFF:FECB:71BA                           //该地址前64位为获取到的前缀,后64位为根据EUI-64规范计算出的接口ID。AR1的0/0/0接口的MAC地址为00e0-fccb-71ba,将第7位的值取反(比如0改成1)并将FFFE插入MAC地址的前24位与后24位之间即可得到02E0:FCFF:FECB:71BA
[AR1]dis dhcpv6 client
[AR1]

[AR1]dis int g 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : DOWN
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fccb-71ba

抓包分析:

 

 

第二步:无状态自动配置获取不到地址

将L,A比特位置0,使得RA中的前缀不分配给本地链路,收到RA的终端不能使用RA中的前缀进行无状态地址配置

AR2:

[AR2-GigabitEthernet0/0/0]ipv6 nd ra prefix 2000:1:: 64 3600 1800 no-autoconfig off-link 

验证:

[AR1]dis ipv6 int brief
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] FE80::2E0:FCFF:FECB:71BA

抓包分析:

 

 

 

第三步:有状态自动获取地址及其他参数(DNS等)

AR1:

dhcp en

#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address auto global
ipv6 address auto dhcp

AR2:

dhcp enable
#
dhcpv6 pool user_pool
address prefix 2021::/64
dns-server 2021::114:114
dns-domain-name huawei.com
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2000:1::2/64
ipv6 address 2021::2/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag                        //采用有状态自动配置分配IP地址
ipv6 nd autoconfig other-flag                                            //采用有状态自动配置分配其他参数
dhcpv6 server user_pool

验证:

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2021::1
[AR1]dis dhcpv6 client
GigabitEthernet0/0/0 is in stateful DHCPv6 client mode.
State is BOUND.
Preferred server DUID : 0003000100E0FC87691E
Reachable via address : FE80::2E0:FCFF:FE87:691E
IA NA IA ID 0x00000031 T1 43200 T2 69120
Obtained : 2021-08-26 10:37:57
Renews : 2021-08-26 22:37:57
Rebinds : 2021-08-27 05:49:57
Address : 2021::1
Lifetime valid 172800 seconds, preferred 86400 seconds
Expires at 2021-08-28 10:37:57(172728 seconds left)
DNS server : 2021::114:114

 

抓包分析:

 

 

 

第四步:无状态获取IP地址,有状态获取其他参数(DNS等)

AR1:

interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address auto global
dhcpv6 client information-request                     //可以通过有状态获取其他参数(DNS,域名)(这里只是使能这个功能,让他可以这个做,最优是不是通过有状态获取其他参数还是由RA里面的O位决定。如果确定了是需要通过哟有状态获取其他参数,则由主机主动发起请求,路由器回应其他参数。IP地址不需要请求可以直接随RA发给用户)

AR2:

dhcpv6 pool user_pool
dns-server 2021::114:114
dns-domain-name huawei.com
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2000:1::2/64
undo ipv6 nd ra halt
ipv6 nd autoconfig other-flag
dhcpv6 server user_pool

验证:

[AR1]dis dhcpv6 client interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is in stateless DHCPv6 client mode.
State is OPEN.
Preferred server DUID : 0003000100E0FC87691E
Reachable via address : FE80::2E0:FCFF:FE87:691E
Infomation refresh time is 86400 seconds
DNS server : 2021::114:114

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2000:1::2E0:FCFF:FECB:71BA

抓包分析:

 

 

AR1通过DHCP获取其他参数。目的地址是FF02::1:2,这个地址是DHCP服务器监听地址

 

 

 

 

 

第二部分:部分互联网络

验证理论

通过配置实现部分互联网络环回口之间互访

 

实验拓扑

 

 

初始配置

路由器上配置接口及环回IPV6地址,交换机上做端口隔离,使得23端口之间不能互访

[LSW1]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3

[LSW1-port-group]port-isolate enable

 

 

初始结果

AR1可以ping通AR23的互联接口,但是23之间不能互相ping通

[AR1]ping ipv 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::3
bytes=56 Sequence=1 hop limit=64 time = 120 ms

 


[AR1]ping ipv 2001:155:1::2
PING 2001:155:1::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::2
bytes=56 Sequence=1 hop limit=64 time = 100 ms

 

[AR2]ping ipv 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out

--- 2001:155:1::3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms

 

 

实验步骤:

一.先解决部分互联问题

IPV6没有ARP,要互通,首先看有没有邻居关系。可以看到AR2上没有AR3的邻居关系,同样AR3上也没有AR2的邻居关系

 

 所以要实现互通,手动增加邻居即可(原理与IPV4添加静态ARP一样)

[AR2-GigabitEthernet0/0/0]ipv6 neighbor 2001:155:1::3 00e0-fcc9-7315                 //地址是AR3的地址,但是MAC是AR1的MAC

[AR3-GigabitEthernet0/0/0]ipv6 neighbor 2001:155:1::2 00e0-fcc9-7315                 //地址是AR2的地址,但是MAC是AR1的MAC

此时部分互联问题解决:

[AR3]ping ipv6 2001:155:1::2
PING 2001:155:1::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::2
bytes=56 Sequence=1 hop limit=63 time = 110 ms

 

然后配置环回口互通

AR1到2,3的环回口通信:

为了方便辨识,更改AR123上0/0/0口的Linklocal地址为fe80::1,2,3

在AR1上配置静态路由

[AR1]ipv6 route-static 2001:150:1:2::2 128 2001:155:1::2
[AR1]ipv6 route-static 2001:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3

[AR1]ipv6 route-static 2002:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3
[AR1]ping ipv6 2001:150:1:2::2
PING 2001:150:1:2::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:2::2
bytes=56 Sequence=1 hop limit=64 time = 100 ms

[AR1]ping ipv6 2001:150:1:3::3
PING 2001:150:1:3::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:3::3
bytes=56 Sequence=1 hop limit=64 time = 80 ms

可以ping通的原因是首先去,AR1上有静态路由,AR23回包时目的地址AR1的0/0/0接口地址2001:155:1::1查邻居表项也是可达的

 

AR2和AR3的环回口之间通信:

如果用全局单播地址写路由,是没有问题的,因为之前已经将2001:155:1::3增加进了邻居表项了

[AR2]ipv6 route-static 2001:150:1:3::3 128 2001:155:1::3
[AR2]ping ipv6 2001:150:1:3::3
PING 2001:150:1:3::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:3::3
bytes=56 Sequence=1 hop limit=63 time = 80 ms

如果用link-local地址来写路由

[AR2]ipv6 route-static 2001:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3

但是因为再AR2的邻居表里面没有FE80::3的邻居,所以肯定是无法通信的,手动增加FE80::3的邻居

[AR2-GigabitEthernet0/0/0]ipv6 neighbor fe90::3 00e0-fcc9-7315
[AR2-GigabitEthernet0/0/0]q
[AR2]ping ipv6 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Request time out
Reply from 2001:155:1::3
bytes=56 Sequence=2 hop limit=63 time = 100 ms

 

 

 

第三部分:IPV6 ACL

因为IPV6的地址解析也在三层里面,所以IPV6配置ACL时要注意不要禁用了NS,NA导致网络无法通信

延续第二部分的实验拓扑及配置

[AR2]acl ipv6 3000
[AR2-acl6-adv-3000]rule deny icmpv6 icmp6-type ?
INTEGER<0-255> ICMP type
Redirect Type=137, Code=0
echo Type=128, Code=0
echo-reply Type=129, Code=0
err-Header-field Type=4, Code=0
frag-time-exceeded Type=3, Code=1
hop-limit-exceeded Type=3, Code=0
host-admin-prohib Type=1, Code=1
host-unreachable Type=1, Code=3
neighbor-advertisement Type=136, Code=0
neighbor-solicitation Type=135, Code=0
network-unreachable Type=1, Code=0
packet-too-big Type=2, Code=0
port-unreachable Type=1, Code=4
router-advertisement Type=134, Code=0
router-solicitation Type=133, Code=0
unknown-ipv6-opt Type=4, Code=2
unknown-next-hdr Type=4, Code=1
[AR2-acl6-adv-3000]rule deny icmpv6 icmp6-type echo
[AR2-GigabitEthernet0/0/0]traffic-filter inbound ipv6 acl 3000

此时除了之前手动硬性配置上去的邻居,无法自动学习到邻居。可见是默认拒绝了所有通信

 

 在ACL中再新增加一条规则,允许除了Ping的其他ICMP数据包通过

[AR2-acl6-adv-3000]rule permit icmpv6

 

 表项仍然没有出来,应该是ENSP的bug

前缀列表抓

[AR2]ip ipv6-prefix  test permit :: 0 less-equal 128              //所有地址

[AR2]ip ipv6-prefix  teset permit 2000:: 3 greater-equal 3    //全球单播地址

posted @ 2021-08-26 14:40  xiaohuihui4956  阅读(935)  评论(0编辑  收藏  举报